TLS 1.2 enforcement on Azure Cosmos DB
Thomas Weiss
Microsoft Azure recommends all customers complete migration towards solutions that support transport layer security (TLS) 1.2 and make sure that TLS 1.2 is used by default.
Azure Cosmos DB already supports TLS 1.2. To ensure our customers are covered with the best level of security, TLS 1.2 will be enforced by default starting July 29th, 2020 on:
- new accounts,
- existing accounts where our records show that client connections use TLS 1.2 exclusively.
This means that any client request that uses a TLS version lower than 1.2 will be actively rejected on these accounts.
If you are currently using a TLS version lower than 1.2 to connect to your existing account, you will not be impacted, and your application will continue to work normally. We still do recommend upgrading your client connections to TLS 1.2. The way to perform this upgrade depends on the platform your client applications run on. TLS enforcement options exist at the operating system and application framework levels. Here are some pointers for you to follow:
- Solving the TLS 1.0 Problem
- Enabling TLS 1.2 with the Windows registry
- If you are using the .NET Framework
- If you are using Java
- If you are using Python
- If you are using Node.js
- Microsoft TLS 1.3 Support Reference
Light
Dark
2 comments
It would be great, if .NET Core (Linux) was already mentioned. Any specific minimum version required? Are we affected at all?
Hi Roman,
ServicePointManager is supported in .NET Core so you should set the SecurityProtocol to TLS12 (see https://docs.microsoft.com/en-us/dotnet/api/system.net.servicepointmanager.securityprotocol?view=netcore-3.1#System_Net_ServicePointManager_SecurityProtocol). Note that if you have an existing Cosmos DB account that you connect to with TLS < 1.2, you will not be affected as we won't enforce TLS 1.2 on that account.
Hope this helps,
Thomas